Looking beyond cash flow within a risk assessment.

Bernard Parsons of BeCrypt details the reality of IT threats and how they should be factored into security investment decisions.

Security Vendors typically, and unsurprisingly, view with negativity the "cash flow" approach that many organisations take towards data security. Such an approach entails assessing the immediate cost to the business that would result from attacks against their IT infrastructure. If this cost is seen as being less than or roughly equal to the cost of improving system security, then system security may not be improved, as the investment to do so is not justified.

As a result, the role of the vendor community is in part to highlight the risks associated with emerging threats, typically those to which potential customers have had little or no exposure. The objective here is to influence the investment decision, highlighting both potential risks, and the compromises that have occurred elsewhere. This is often regarded as "threat hyping", but as a process has some validity, partly because a simple "cash flow" algorithm can ignore issues such as potential brand damage from high-profile incidents.

Nevertheless, given that decisions are predominately made or defended at board level, some version of this algorithm often applies. This is not only the case for the vast majority of commercial organisations worldwide, but includes government departments, which have had to adjust from a previous risk-averse stance. Even the more paranoid organisations have had to accommodate the acceleration in technology, both in terms of evolving threats, and in the need for increased flexibility and efficiency across business processes. This is reflected by the development of Risk Management policies and frameworks. Risk Management entails assessing the value of assets and the impact to the organisation resulting from their compromise. The approach allows far more room for the consideration of system availability and integrity alongside, or often in place of, governments' traditional focus on confidentiality.

There is a general acceptance that one needs to allow for the possibility that data on systems may be compromised, particularly if not doing so results in an unacceptable reduction in the availability of systems.

System compromise will continue to pose a threat for most organisations, driven by an increasingly capable attacker community. Their sophistication is growing as a result of collaboration across diverse communities, where vulnerabilities, tools to exploit vulnerabilities, and the results of exploits are traded on a relatively new, but expanding electronic black market.

Compromises typically occur at a system's weakest point, and technology mobility has been one of the principle factors defining weak points. Competition for efficiency and flexibility across industry sectors drives an increasing distribution of electronic assets. The pattern of: vulnerability popularisation, followed by initial security solutions, followed by product maturation and commoditisation, has trodden a path out from the corporate HQ, across laptops, mobile devices and peripherals, and has landed more recently at the un-managed machine.

Businesses are being forced to consider the use of machines that are not under the direct control of the organisation. Whilst email access from anywhere is not uncommon, there is a growing requirement to open corporate resources to home machines, partner networks, or even public machines, to support occasional remote working and business continuity. This is a new frontline: a recent impromptu survey of a US defense department's employees' home machines used for official email uncovered numerous instances of key logger and other forms of malicious software. Along with equally popular screen-grabbers, these are in-vogue tools for both targeted and random attacks.

Initial security solutions have offered a nominal and limited level of defence for the un-managed machine. Combining end-point inspection with an SSL VPN makes a huge assumption that the security controls being inspected for are less sophisticated than, and knowledgeable of, resident malicious software. Such an approach may be little use in protecting against a targeted attack. Employing virtualization technology requires similar assumptions. Both solutions allow for an arms race to progress between attacker and defender, without even requiring the attacker to change the nature of the attack.

Over the last year product maturation has occurred in solutions that employ secure operating systems on bootable media. This approach allows an organisation to remain in control of a system, rendering the un-managed platform arbitrary. The home computer is used solely to boot the official, albeit portable, OS. Typical security controls include device encryption to enforce confidentiality and system integrity, as well as a modified OS to prevent disk or peripheral access and to protect network connections. The level of security provided can approach, or in some cases exceed, that of the corporate issued laptop. The impact on potential flexibility within the workplace is significant, enabling a larger percentage of the workforce to work remotely and, for those that already do, increasing the reliability of their access.

The coming year will see broader adoption of the bootable media approach to securing remote access. In parallel, security vendors will look to make better use of the increasingly pervasive built-in hardware support for security from device and machine manufacturers. When used within appropriately controlled procedures, this will enable the establishment of trust points resistant to the most sophisticated of attacks. Soon, our most sensitive corporate resources will follow us everywhere!

BeCrypt is exhibiting at Infosecurity Europe 2008, Europe's number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd - 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.